HeneryH
Posts: 7
Joined: Fri Nov 14, 2014 7:55 pm

PiVPN (OpenVPN) routing woes...

Mon Apr 22, 2019 2:51 pm

I have a remote site with a Pi at it that I want to connect to using VPN. Simple goal is to set up the Pi at the remote site and install the PiVPN server.

The remote site with the Pi is set up on a 192.168.1.x network

The install went well, I create a client file and using that file I can connect from my local network and Win10 client. When my Win10 client connects it gets a 10.10.x.y address.

The local site is also on a 192.168.1.x network. I think this is causing problems.

I think I have to dig into the route pushing etc... It wasn't quite so simple for me!

HeneryH
Posts: 7
Joined: Fri Nov 14, 2014 7:55 pm

Re: PiVPN (OpenVPN) routing woes...

Mon Apr 22, 2019 4:18 pm

This is the scenario I have

Code: Select all

                          +-------------------------+
               (public IP)|                         |
  {INTERNET}=============={     Router              |
                          |                         |
                          |         LAN switch      |
                          +------------+------------+
                                       | (192.168.1.1)
                                       |
                                       |              +-----------------------+
                                       |              |                       |
                                       |              |        OpenVPN        |  eth0: 192.168.1.xx/24
                                       +--------------{eth0    server         |  tun0: 10.8.0.1/24
                                       |              |                       |
                                       |              |           {tun0}      |
                                       |              +-----------------------+
                                       |
                              +--------+-----------+
                              |                    |
                              |  Other LAN clients |
                              |                    |
                              |   192.168.1.0/24   |
                              |   (internal net)   |
                              +--------------------+

epoch1970
Posts: 2770
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: PiVPN (OpenVPN) routing woes...

Mon Apr 22, 2019 6:50 pm

I think you’ll need “client-nat snat|dnat” config statements in order to get openvpn to execute a double 1:1 NAT so that LANs stop overlapping.
https://unix.stackexchange.com/question ... tical-lans

Not too pretty, overall. Perhaps renumbering one side is a better idea.
(I’ve never tried using this, personally)
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

HeneryH
Posts: 7
Joined: Fri Nov 14, 2014 7:55 pm

Re: PiVPN (OpenVPN) routing woes...

Mon Apr 22, 2019 6:55 pm

I'm OK with totally disassociating myself with my local LAN when I connect to the remote LAN. For the short periods of time I need to remotely work on the remote network I don't need any smart routing to get access to both networks simultaneously.

epoch1970
Posts: 2770
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: PiVPN (OpenVPN) routing woes...

Mon Apr 22, 2019 7:08 pm

HeneryH wrote:
Mon Apr 22, 2019 6:55 pm
I'm OK with totally disassociating myself with my local LAN when I connect to the remote LAN. For the short periods of time I need to remotely work on the remote network I don't need any smart routing to get access to both networks simultaneously.
Oh. So no problem I would think.
I don’t use server mode much in openvpn, I am a bit stuck in the past decade and p2p mode. Nevertheless:
- In routed mode if you redirect the default route through the VPN I think you should see an openvpn client connect the server, “detach” from the local LAN and then get access to the remote LAN. You’d need one openvpn client per machine.
- In bridge mode, you can have a single Pi client bridge its openvpn tap device and a VLAN, say eth0.100; then on any LAN machine, disable eth0, enable eth0.100, and it will be part of the remote LAN.
With a small network, tunneling the broadcasts doesn’t amount to much extra traffic.
(Have STP enabled in the bridges if site to site bridging; keeping both eth0 and eth0.100 inadvertently enabled could cause a broadcast storm.)

HTH
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Return to “Advanced users”